EP1668862B1 - Method and system for providing a secure communication between communication networks - Google Patents
Method and system for providing a secure communication between communication networks Download PDFInfo
- Publication number
- EP1668862B1 EP1668862B1 EP04769484A EP04769484A EP1668862B1 EP 1668862 B1 EP1668862 B1 EP 1668862B1 EP 04769484 A EP04769484 A EP 04769484A EP 04769484 A EP04769484 A EP 04769484A EP 1668862 B1 EP1668862 B1 EP 1668862B1
- Authority
- EP
- European Patent Office
- Prior art keywords
- network
- called party
- determining
- trusted
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
- 238000004891 communication Methods 0.000 title claims abstract description 51
- 238000000034 method Methods 0.000 title claims abstract description 33
- 230000006870 function Effects 0.000 description 12
- 238000010295 mobile communication Methods 0.000 description 10
- 230000001413 cellular effect Effects 0.000 description 5
- 230000005540 biological transmission Effects 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000008867 communication pathway Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 1
- 238000005206 flow analysis Methods 0.000 description 1
- 239000012092 media component Substances 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4535—Network directories; Name-to-address mapping using an address exchange platform which sets up a session between two nodes, e.g. rendezvous servers, session initiation protocols [SIP] registrars or H.323 gatekeepers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W8/00—Network data management
- H04W8/26—Network addressing or numbering for mobility support
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W92/00—Interfaces specially adapted for wireless communication networks
- H04W92/02—Inter-networking arrangements
Definitions
- the invention relates to communication method.
- a communication system can be seen as a facility that enables communication sessions between two or more entities such as user equipment and/or other nodes associated with the communication system.
- the communication may comprise, for example, communication of voice, data, multimedia and so on.
- a session may, for example, be a telephone call between users or multi-way conference session, or a communication session between user equipment and an application server (AS), for example a service provider server.
- AS application server
- the establishment of these sessions generally enables a user to be provided with various services.
- a communication system typically operates in accordance with a given standard or specification which sets out what the various entities associated with the communication system are permitted to do and how that should be achieved.
- the standard or specification may define if the user, or more precisely, user equipment is provided with a circuit switched service and/or a packet switched service.
- Communication protocols and/or parameters which shall be used for the connection may also be defined. In other words, a specific set of "rules" on which the communication can be based on needs to be defined to enable communication by means of the system.
- Communication systems providing wireless communication for user equipment are known.
- An example of the wireless systems is the public land mobile network (PLMN).
- the PLMNs are typically based on cellular technology.
- a base transceiver station (BTS) or similar access entity serves wireless user equipment (UE) known also as mobile stations (MS) via a wireless interface between these entities.
- UE wireless user equipment
- MS mobile stations
- the communication on the wireless interface between the user equipment and the elements of the communication network can be based on an appropriate communication protocol.
- the operation of the base station apparatus and other apparatus required for the communication can be controlled by one or several control entities.
- the various control entities may be interconnected.
- One or more gateway nodes may also be provided for connecting the cellular network to other networks e.g. to a public switched telephone network (PSTN) and/or other communication networks such as an IP (Internet Protocol) and/or other packet switched data networks.
- PSTN public switched telephone network
- IP Internet Protocol
- the mobile communications network provides an access network enabling a user with a wireless user equipment to access external networks, hosts, or services offered by specific service providers.
- the access point or gateway node of the mobile communication network then provides further access to an external network or an external host. For example, if the requested service is provided by a service provider located in other network, the service request is routed via the gateway to the service provider.
- the routing may be based on definitions in the mobile subscriber data stored by a mobile network operator.
- IP Multimedia An example of the services that may be offered for user such as the subscribers to a communication systems is the so called multimedia services.
- Some of the communication systems enabled to offer multimedia services are known as Internet Protocol (IP) Multimedia networks.
- IP Multimedia (IM) functionalities can be provided by means of an IP Multimedia Core Network (CN) subsystem, or briefly IP Multimedia subsystem (IMS).
- CN IP Multimedia Core Network
- IMS IP Multimedia subsystem
- the IMS includes various network entities for the provision of the multimedia services.
- the IMS services are intended to offer, among other services, IP connections between mobile user equipment.
- the third generation partnership project (3GPP) has defined use of the general packet radio service (GPRS) for the provision of the IMS services, and therefore this will be used in the following as an example of a possible backbone communication network enabling the IMS services.
- the exemplifying general packet radio service (GPRS) operation environment comprises one or more sub-network service areas, which are interconnected by a GPRS backbone network.
- a sub-network comprises a number of packet data service nodes (SN).
- SN packet data service nodes
- SGSN serving GPRS support nodes
- Each of the SGSNs is connected to at least one mobile communication network, typically to base station systems.
- the connection is typically by way of radio network controllers (RNC) or other access system controllers such as base stations controllers (BSC) in such a way that packet service can be provided for mobile user equipment via several base stations.
- RNC radio network controllers
- BSC base stations controllers
- the intermediate mobile communication network provides packet-switched data transmission between a support node and mobile user equipment.
- Different sub-networks are in turn connected to an external data network, e.g. to a public switched data network (PSPDN), via gateway GPRS support nodes (GGSN).
- PSPDN public switched data network
- GGSN gateway GPRS support nodes
- the GPRS services thus allow packet data transmission between mobile data terminals and external data networks.
- a PDP context may include a radio access bearer provided between the user equipment, the radio network controller and the SGSN, and switched packet data channels provided between the serving GPRS support node and the gateway GPRS support node.
- Each PDP context can carry more than one traffic flow, but all traffic flows within one particular PDP context are treated the same way as regards their transmission across the network.
- the PDP context treatment requirement is based on PDP context treatment attributes associated with the traffic flows, for example quality of service and/or charging attributes.
- the Third Generation Partnership Project (3GPP) has also defined a reference architecture for the third generation (3G) core network which will provide the users of user equipment with access to the multimedia services.
- This core network is divided into three principal domains. These are the Circuit Switched (CS) domain, the Packet Switched (PS) domain and the Internet Protocol Multimedia (IM) domain. The latter of these, the IM domain, is for ensuring that multimedia services are adequately managed.
- CS Circuit Switched
- PS Packet Switched
- IM Internet Protocol Multimedia
- Session Initiation Protocol is an application-layer control protocol for creating, modifying and terminating sessions with one or more participants (endpoints). SIP was generally developed to allow for initiating a session between two or more endpoints in the Internet by making these endpoints aware of the session semantics.
- a user connected to a SIP based communication system may communicate with various entities of the communication system based on standardised SIP messages. User equipment or users that run certain applications on the user equipment are registered with the SIP backbone so that an invitation to a particular session can be correctly delivered to these endpoints.
- SIP provides a registration mechanism for devices and users, and it applies mechanisms such as location servers and registrars to route the session invitations appropriately.
- Examples of the possible sessions that may be provided by means of SIP signalling include Internet multimedia conferences, Internet telephone calls, and multimedia distribution.
- the P-Asserted-Identity header has to be removed before it reaches the called party.
- a message sent by the caller contains a header identifying the sender, called a P-Asserted-Identity header.
- the format of this header if the sender is a user with a publicly-known user identification is: ⁇ sip:user1_public1@home1.net>
- the home network of the caller has to remove the header only in case the home network of the called party is not trusted. If the home network of the called party (which is the next hop for the home network of the caller) is trusted, then the home network of the caller will not remove the header. This is needed to be compliant with RFC3325, which says that the P-Asserted-Identity header has to be removed by the last element in the trusted domain.
- the mechanism proposed relies on the header field called 'P-Asserted-Identity' that contains a URI (commonly a SIP URI) and an optional display-name.
- a proxy server which handles a message can, after authenticating the originating user in some way (for example: Digest authentication), insert such a P-Asserted-Identity header field into the message and forward it to other trusted proxies.
- a proxy that is about to forward a message to a proxy server or UA that it does not trust removes all the P-Asserted-Identity header field values if the user requested that this information be kept private. Users can request this type of privacy.
- EP0465016A2 discloses trust realms, each of which is a collection of computers that share a common security policy.
- a trust realm service program in a calling computer system must retrieve information from a trust realm database table, which associates computers with trust realms, and determine whether there is a trust realm common to both the calling computer and a target computer. If there is no common trust realm, or if the target is not listed, message transmission is aborted.
- US 6,483,912 B1 discloses sending packets from an untrusted telephone interface unit to another untrusted telephone interface unit.
- An originator network edge device on a path between the telephone interface units translates a local address of a calling party to a global address and a terminating network edge device translates the global address to another local address, such that identifying information of the calling party is not revealed to a called party.
- a first network as specified in claim 21.
- Embodiments of the present invention relate particularly but not exclusively to Rel-5 IMS networks. Embodiments of the invention may also be applicable to other versions of the IMS network. Embodiments of the invention may be applicable to other SIP networks. Some embodiments of the invention may find wider application outside the SIP and IMS environments.
- a mobile communication system is typically arranged to serve a plurality of mobile user equipment usually via a wireless interface between the user equipment and base station of the communication system.
- the mobile communication system may logically be divided between a radio access network (RAN) and a core network (CN).
- RAN radio access network
- CN core network
- Figure 1 shows an example of a network architecture wherein the invention may be embodied.
- Figure 1 shows an IP Multimedia Network 45 for offering IP multimedia services for IP Multimedia Network subscribers.
- IP Multimedia (IM) functionalities can be provided by means of a Core Network (CN) subsystem including various entities for the provision of the service.
- CN Core Network
- Base stations 31 and 43 are arranged to transmit signals to and receive signals from mobile user equipment 30 and 44 of mobile users i.e. subscribers via a wireless interface.
- each of the mobile user equipment is able to transmit signals to and receive signals from the base station via the wireless interface.
- the base stations 31 and 43 belong to different radio access networks (RAN).
- RAN radio access networks
- each of the user equipment 30, 44 may access the IMS network 45 via the two access networks associated with base stations 31 and 43, respectively.
- Figure 1 shows the base stations of only two radio access networks, a typical mobile communication network usually includes a number of radio access networks.
- the 3G radio access network is typically controlled by appropriate radio network controller (RNC).
- RNC radio network controller
- This controller is not shown in order to enhance clarity.
- a controller may be assigned for each base station or a controller can control a plurality of base stations. Solutions wherein controllers are provided both in individual base stations and in the radio access network level for controlling a plurality of base stations are also known. It shall thus be appreciated that the name, location and number of the network controllers depends on the system.
- the mobile user may use any appropriate mobile device adapted for Internet Protocol (IP) communication to connect the network.
- IP Internet Protocol
- the mobile user may access the cellular network by means of a Personal computer (PC), Personal Data Assistant (PDA), mobile station (MS) and so on.
- PC Personal computer
- PDA Personal Data Assistant
- MS mobile station
- a mobile station may use a mobile station for tasks such as for making and receiving phone calls, for receiving and sending data from and to the network and for experiencing e.g. multimedia content.
- a mobile station is typically provided with processor and memory means for accomplishing these tasks.
- a mobile station may include antenna means for wirelessly receiving and transmitting signals from and to base stations of the mobile communication network.
- a mobile station may also be provided with a display for displaying images and other graphical information for the user of the mobile user equipment. Speaker means may are also be provided.
- the operation of a mobile station may be controlled by means of an appropriate user interface such as control buttons, voice commands and so on.
- a mobile station may also have several simultaneous sessions, for example a number of SIP sessions and activated PDP contexts.
- the user may also have a phone call and be simultaneously connected to at least one other service.
- the core network (CN) entities typically include various control entities and gateways for enabling the communication via a number of radio access networks and also for interfacing a single communication system with one or more communication system such as with other cellular systems and/or fixed line communication systems.
- serving GPRS support nodes 33, 42 and gateway GPRS support nodes 34, 40 are for provision of support for GPRS services 32, 41, respectively, in the network.
- the radio access network controller is typically connected to an appropriate core network entity or entities such as, but not limited to, the serving general packet radio service support nodes (SGSN) 33 and 42.
- SGSN serving general packet radio service support nodes
- each SGSN typically has access to designated subscriber database configured for storing information associated with the subscription of the respective user equipment.
- Radio network controller may communicate with a radio network controller via radio network channels which are typically referred to as radio bearers (RB). Each user equipment may have one or more radio network channel open at any one time with the radio network controller.
- the radio access network controller is in communication with the serving GPRS support node via an appropriate interface, for example on an Iu interface.
- the serving GPRS support node typically communicates with a gateway GPRS support node via the GPRS backbone network 32, 41.
- This interface is commonly a switched packet data interface.
- the serving GPRS support node and/or the gateway GPRS support node are for provision of support for GPRS services in the network.
- PDP packet data protocol
- Each PDP context usually provides a communication pathway between particular user equipment and the gateway GPRS support node and, once established, can typically carry multiple flows. Each flow normally represents, for example, a particular service and/or a media component of a particular service.
- the PDP context therefore often represents a logical communication pathway for one or more flow across the network.
- radio access bearers RAB
- RAB radio access bearers
- the user equipment 30, 44 may connect, via the GPRS network, to application servers that are generally connected to the IMS.
- the communication systems have developed such that services may be provided for the user equipment by means of various functions of the network that are handled by network entities known as servers.
- servers For example, in the current third generation (3G) wireless multimedia network architectures it is assumed that several different servers are used for handling different functions. These include functions such as the call session control functions (CSCFs).
- the call session control functions may be divided into various categories such as a proxy call session control function (P-CSCF)35 and 39, interrogating call session control function (I-CSCF)37, and serving call session control function (S-CSCF) 36 and 38.
- P-CSCF proxy call session control function
- I-CSCF interrogating call session control function
- S-CSCF serving call session control function
- the serving call session control function may form in the 3G IMS arrangements the entity a users needs to be registered with in order to be able to request for a service from the communication system.
- the CSCFs may define an IMS network of a UMTS system.
- CSCFs may be referenced to as the call state control functions.
- Communication systems may be arranged such that a user who has been provided with required communication resources by the backbone network has to initiate the use of services by sending a request for the desired service over the communication system. For example, a user may request for a session, transaction or other type of communications from an appropriate network entity.
- a database containing the domain name of the IMS networks and the corresponding IP addresses of the I-CSCFs has to be maintained in a SIP level database.
- SIP requests may contain either domain names or IP addresses in the Request (R)-universal resource indicator. It is not enough to store the domain names into the database. The calling party thus can check if the called party is in a trusted or untrusted network by seeing in the domain name or IP address associated with the called party are in the database.
- a database is kept with the domain names of the IMS networks the home network trusts
- step S1 it is determined in the request contains a domain name.
- step S2 the next step is step S2 where it is checked to see if the domain is in the database. If so the next hop is considered a trusted domain and the corresponding procedures are applied (step S3). If the domain is not in the database, then consider the next hop an untrusted domain, and apply the corresponding procedures -step S4.
- the message may be discarded or alternatively modified. If the message is modified, information identifying the calling party will be removed. This information may be the P-Asserted header. This will be done if the calling party has requested privacy, ie that their identity be kept private.
- Step S5 and S1 may be combined in a single step. If the request contains an IP address then a then a reverse DNS query is made to find out the corresponding domain - step 6. That is a request is sent ot the Domain name server for the name of the domain associated with the IP address. The next step will then be step S2 with the checking of the database.
- a database is kept only at the S-CSCF of the home network which lists there all the known IMS network domain names the home network trusts.
- R-URI contains an IP address instead of a domain name (and thus can not be checked in the database), then it is simply assumed that the next hop is an untrusted domain.
- the NDS network domain security is configured in the security gateways (SPD) in such a way, that an IP packet coming from a CSCF of the domain the gateway is part of, would be sent over a secure connection. If a secure connection towards the destination does not exists, the packet is simply discarded and an ICMP Internet control message protocol message generated.
- the ICMP is an Internet protocol which delivers error and control messages between a gateway or a destination host and the source host about IP datagram processing. ICMP can for example report an error in the IP datagram processing.
- ICMP is usually part of the IP protocol. Thus, the home network always assumes the next hop is trusted and does not remove the P-Asserted-Identity. If it happens that the next hop is not trusted, then the packet is discarded, and does not reach the called party.
- the interfaces are defined for protection of native IP based protocols:
- the Za-interface covers all NDS/IP (Network Domain Security/Internet Protocol) traffic between security domains.
- the SEGs Security Gateways
- IKE Internet Key Exchange
- ESP Encapsulating Security Payload
- ESP shall be used with both encryption and authentication/integrity, but an authentication/integrity only mode is allowed.
- the tunnel is subsequently used for forwarding NDS/IP traffic between security domain A and security domain B.
- One SEG can be dedicated to only serve a certain subset of all roaming partners. This will limit the number of SAs and tunnels that need to be maintained.
- the Zb-interface is located between SEGs and NEs and between NEs within the same security domain.
- the Zb-interface is optional for implementation. If implemented, it shall implement ESP+IKE.
- ESP On the Zb-interface, ESP shall always be used with authentication/integrity protection. The use of encryption is optional. The ESP Security Association shall be used for all control plane traffic that needs security protection.
- the Security Association is established when needed or a priori is for the security domain operator to decide.
- the Security Association is subsequently used for exchange of NDS/IP traffic between the NEs.
- the security policy established over the Za-interface is subject to roaming agreements. This differs from the security policy enforced over the Zb-interface, which is unilaterally decided by the security domain operator.
- the basic idea to the NDS/IP architecture is to provide hop-by-hop security. This is in accordance with the chained-tunnels or hub-and-spoke models of operation.
- the use of hop-by-hop security also makes it easy to operate separate security policies internally and towards other external security domains.
- SEGs Security Gateways
- the SEGs will then establish and maintain IPsec secured ESP Security Association in tunnel mode between security domains.
- SEGs will normally maintain at least one IPsec tunnel available at all times to a particular peer SEG.
- the SEG will maintain logically separate SAD and SPD databases for each interface.
- the NEs may be able to establish and maintain ESP Security Associations as needed towards a SEG or other NEs within the same security domain. All NDS/IP traffic from a NE in one security domain towards a NE in a different security domain will be routed via a SEG and will be afforded hop-by-hop security protection towards the final destination.
- the SEG of the calling party will determine if the packet for the called party is to be sent over a secure connection to the SEG of the called party. If there is no secure connection the packet is discarded. If there is a secure connection the packet is sent.
- the SEG of the calling party will remove the identity information from the message, that is the P-Asserted header.
- the modified message is then sent to the called party.
- P-asserted header information is removed from the packet.
- identification information relating to the identity of the calling party will be removed.
- the database is described as storing the identity of trusted parties only. In one modification it could store only the identity of untrusted parties or both the untrusted and trusted parties along with information indicating if they are trusted or not.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Telephonic Communication Services (AREA)
- Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)
- Communication Control (AREA)
Abstract
Description
- The invention relates to communication method.
- A communication system can be seen as a facility that enables communication sessions between two or more entities such as user equipment and/or other nodes associated with the communication system. The communication may comprise, for example, communication of voice, data, multimedia and so on. A session may, for example, be a telephone call between users or multi-way conference session, or a communication session between user equipment and an application server (AS), for example a service provider server. The establishment of these sessions generally enables a user to be provided with various services.
- A communication system typically operates in accordance with a given standard or specification which sets out what the various entities associated with the communication system are permitted to do and how that should be achieved. For example, the standard or specification may define if the user, or more precisely, user equipment is provided with a circuit switched service and/or a packet switched service. Communication protocols and/or parameters which shall be used for the connection may also be defined. In other words, a specific set of "rules" on which the communication can be based on needs to be defined to enable communication by means of the system.
- Communication systems providing wireless communication for user equipment are known. An example of the wireless systems is the public land mobile network (PLMN). The PLMNs are typically based on cellular technology. In cellular systems, a base transceiver station (BTS) or similar access entity serves wireless user equipment (UE) known also as mobile stations (MS) via a wireless interface between these entities. The communication on the wireless interface between the user equipment and the elements of the communication network can be based on an appropriate communication protocol. The operation of the base station apparatus and other apparatus required for the communication can be controlled by one or several control entities. The various control entities may be interconnected.
- One or more gateway nodes may also be provided for connecting the cellular network to other networks e.g. to a public switched telephone network (PSTN) and/or other communication networks such as an IP (Internet Protocol) and/or other packet switched data networks. In such arrangement the mobile communications network provides an access network enabling a user with a wireless user equipment to access external networks, hosts, or services offered by specific service providers. The access point or gateway node of the mobile communication network then provides further access to an external network or an external host. For example, if the requested service is provided by a service provider located in other network, the service request is routed via the gateway to the service provider. The routing may be based on definitions in the mobile subscriber data stored by a mobile network operator.
- An example of the services that may be offered for user such as the subscribers to a communication systems is the so called multimedia services. Some of the communication systems enabled to offer multimedia services are known as Internet Protocol (IP) Multimedia networks. IP Multimedia (IM) functionalities can be provided by means of an IP Multimedia Core Network (CN) subsystem, or briefly IP Multimedia subsystem (IMS). The IMS includes various network entities for the provision of the multimedia services. The IMS services are intended to offer, among other services, IP connections between mobile user equipment.
- The third generation partnership project (3GPP) has defined use of the general packet radio service (GPRS) for the provision of the IMS services, and therefore this will be used in the following as an example of a possible backbone communication network enabling the IMS services. The exemplifying general packet radio service (GPRS) operation environment comprises one or more sub-network service areas, which are interconnected by a GPRS backbone network. A sub-network comprises a number of packet data service nodes (SN). In this application the service nodes will be referred to as serving GPRS support nodes (SGSN). Each of the SGSNs is connected to at least one mobile communication network, typically to base station systems. The connection is typically by way of radio network controllers (RNC) or other access system controllers such as base stations controllers (BSC) in such a way that packet service can be provided for mobile user equipment via several base stations. The intermediate mobile communication network provides packet-switched data transmission between a support node and mobile user equipment. Different sub-networks are in turn connected to an external data network, e.g. to a public switched data network (PSPDN), via gateway GPRS support nodes (GGSN). The GPRS services thus allow packet data transmission between mobile data terminals and external data networks.
- In such a network, a packet data session is established to carry traffic flows over the network. Such a packet data session is often referred as a packet data protocol (PDP) context. A PDP context may include a radio access bearer provided between the user equipment, the radio network controller and the SGSN, and switched packet data channels provided between the serving GPRS support node and the gateway GPRS support node.
- A data communication session between the user equipment and other party would then be carried on the established PDP context. Each PDP context can carry more than one traffic flow, but all traffic flows within one particular PDP context are treated the same way as regards their transmission across the network. The PDP context treatment requirement is based on PDP context treatment attributes associated with the traffic flows, for example quality of service and/or charging attributes.
- The Third Generation Partnership Project (3GPP) has also defined a reference architecture for the third generation (3G) core network which will provide the users of user equipment with access to the multimedia services. This core network is divided into three principal domains. These are the Circuit Switched (CS) domain, the Packet Switched (PS) domain and the Internet Protocol Multimedia (IM) domain. The latter of these, the IM domain, is for ensuring that multimedia services are adequately managed.
- The IM domain supports the Session Initiation Protocol (SIP) as developed by the Internet Engineering Task Force (IETF). Session Initiation Protocol (SIP) is an application-layer control protocol for creating, modifying and terminating sessions with one or more participants (endpoints). SIP was generally developed to allow for initiating a session between two or more endpoints in the Internet by making these endpoints aware of the session semantics. A user connected to a SIP based communication system may communicate with various entities of the communication system based on standardised SIP messages. User equipment or users that run certain applications on the user equipment are registered with the SIP backbone so that an invitation to a particular session can be correctly delivered to these endpoints. To achieve this, SIP provides a registration mechanism for devices and users, and it applies mechanisms such as location servers and registrars to route the session invitations appropriately. Examples of the possible sessions that may be provided by means of SIP signalling include Internet multimedia conferences, Internet telephone calls, and multimedia distribution.
- Reference is made to IETF document RFC 3325 . This document describes private extensions to SIP that enable a network of trusted SIP servers to assert the identity of end users or end systems, and to convey indications of end-user requested privacy. The use of these extensions is applicable inside a 'Trust Domain' as defined in Short term requirements for Network Asserted Identity. Nodes in such a Trust Domain are explicitly trusted by its users and end-systems to publicly assert the identity of each party, and to be responsible for withholding that identity outside of the Trust Domain when privacy is requested.
- In order to be able to apply the privacy procedures described in RFC3325, there is a need to detect the trustworthiness of the next hop network. If the next hop is trusted, then the procedures related to the different privacy options are delegated to the next hop. Otherwise the privacy procedures need to be executed.
- As an example, in case the caller asks for identity privacy, the P-Asserted-Identity header has to be removed before it reaches the called party. A message sent by the caller contains a header identifying the sender, called a P-Asserted-Identity header. The format of this header if the sender is a user with a publicly-known user identification is: <sip:user1_public1@home1.net> The home network of the caller has to remove the header only in case the home network of the called party is not trusted. If the home network of the called party (which is the next hop for the home network of the caller) is trusted, then the home network of the caller will not remove the header. This is needed to be compliant with RFC3325, which says that the P-Asserted-Identity header has to be removed by the last element in the trusted domain.
- In RFC 3325, the mechanism proposed relies on the header field called 'P-Asserted-Identity' that contains a URI (commonly a SIP URI) and an optional display-name. A proxy server which handles a message can, after authenticating the originating user in some way (for example: Digest authentication), insert such a P-Asserted-Identity header field into the message and forward it to other trusted proxies. A proxy that is about to forward a message to a proxy server or UA that it does not trust removes all the P-Asserted-Identity header field values if the user requested that this information be kept private. Users can request this type of privacy.
- For the procedures to be applied in the correct place, the trustworthiness of the next hop has to be detected in some way.
- A known document,
EP0465016A2 discloses trust realms, each of which is a collection of computers that share a common security policy. To send a message, a trust realm service program in a calling computer system must retrieve information from a trust realm database table, which associates computers with trust realms, and determine whether there is a trust realm common to both the calling computer and a target computer. If there is no common trust realm, or if the target is not listed, message transmission is aborted. - Another known document,
US 6,483,912 B1 , discloses sending packets from an untrusted telephone interface unit to another untrusted telephone interface unit. An originator network edge device on a path between the telephone interface units translates a local address of a calling party to a global address and a terminating network edge device translates the global address to another local address, such that identifying information of the calling party is not revealed to a called party. - According to a first aspect of the invention, there is provided a method as specified in
claim 1. - According to a second aspect, there is provided a first network as specified in claim 21.
- There is further provided a communications system comprising such a first network.
- For better understanding of the invention, reference will now be made by way of example to the accompanying drawings in which:
-
Figure 1 shows a communication system wherein the invention may be embodied; -
Figure 2 is a flowchart illustrating the operation of one embodiment of the invention; -
Figure 3 shows a context in which an embodiment of the invention may be provided. - Embodiments of the present invention relate particularly but not exclusively to Rel-5 IMS networks. Embodiments of the invention may also be applicable to other versions of the IMS network. Embodiments of the invention may be applicable to other SIP networks. Some embodiments of the invention may find wider application outside the SIP and IMS environments.
- Certain embodiments of the present invention will be described by way of example, with reference to the exemplifying architecture of a third generation (3G) mobile communications system. However, it will be understood that certain embodiments may be applied to any other suitable form of network. A mobile communication system is typically arranged to serve a plurality of mobile user equipment usually via a wireless interface between the user equipment and base station of the communication system. The mobile communication system may logically be divided between a radio access network (RAN) and a core network (CN).
- Reference is made to
Figure 1 which shows an example of a network architecture wherein the invention may be embodied.Figure 1 shows anIP Multimedia Network 45 for offering IP multimedia services for IP Multimedia Network subscribers. IP Multimedia (IM) functionalities can be provided by means of a Core Network (CN) subsystem including various entities for the provision of the service. -
Base stations mobile user equipment Figure 1 , thebase stations user equipment IMS network 45 via the two access networks associated withbase stations Figure 1 shows the base stations of only two radio access networks, a typical mobile communication network usually includes a number of radio access networks. - The 3G radio access network (RAN) is typically controlled by appropriate radio network controller (RNC). This controller is not shown in order to enhance clarity. A controller may be assigned for each base station or a controller can control a plurality of base stations. Solutions wherein controllers are provided both in individual base stations and in the radio access network level for controlling a plurality of base stations are also known. It shall thus be appreciated that the name, location and number of the network controllers depends on the system.
- The mobile user may use any appropriate mobile device adapted for Internet Protocol (IP) communication to connect the network. For example, the mobile user may access the cellular network by means of a Personal computer (PC), Personal Data Assistant (PDA), mobile station (MS) and so on. The following examples are described in the context of mobile stations.
- One skilled in the art is familiar with the features and operation of a typical mobile station. Thus, a detailed explanation of these features is not necessary. It is sufficient to note that the user may use a mobile station for tasks such as for making and receiving phone calls, for receiving and sending data from and to the network and for experiencing e.g. multimedia content. A mobile station is typically provided with processor and memory means for accomplishing these tasks. A mobile station may include antenna means for wirelessly receiving and transmitting signals from and to base stations of the mobile communication network. A mobile station may also be provided with a display for displaying images and other graphical information for the user of the mobile user equipment. Speaker means may are also be provided. The operation of a mobile station may be controlled by means of an appropriate user interface such as control buttons, voice commands and so on.
- It shall be appreciated that although only two mobile stations are shown in
Figure 1 for clarity, a number of mobile stations may be in simultaneous communication with each base station of the mobile communication system. A mobile station may also have several simultaneous sessions, for example a number of SIP sessions and activated PDP contexts. The user may also have a phone call and be simultaneously connected to at least one other service. - The core network (CN) entities typically include various control entities and gateways for enabling the communication via a number of radio access networks and also for interfacing a single communication system with one or more communication system such as with other cellular systems and/or fixed line communication systems. In
Figure 1 servingGPRS support nodes GPRS support nodes GPRS services - The radio access network controller is typically connected to an appropriate core network entity or entities such as, but not limited to, the serving general packet radio service support nodes (SGSN) 33 and 42. Although not shown, each SGSN typically has access to designated subscriber database configured for storing information associated with the subscription of the respective user equipment.
- User equipment within the radio access network may communicate with a radio network controller via radio network channels which are typically referred to as radio bearers (RB). Each user equipment may have one or more radio network channel open at any one time with the radio network controller. The radio access network controller is in communication with the serving GPRS support node via an appropriate interface, for example on an Iu interface.
- The serving GPRS support node, in turn, typically communicates with a gateway GPRS support node via the
GPRS backbone network - Overall communication between user equipment in an access entity and a gateway GPRS support node is generally provided by a packet data protocol (PDP) context. Each PDP context usually provides a communication pathway between particular user equipment and the gateway GPRS support node and, once established, can typically carry multiple flows. Each flow normally represents, for example, a particular service and/or a media component of a particular service. The PDP context therefore often represents a logical communication pathway for one or more flow across the network. To implement the PDP context between user equipment and the serving GPRS support node, radio access bearers (RAB) need to be established which commonly allow for data transfer for the user equipment. The implementation of these logical and physical channels is known to those skilled in the art and is therefore not discussed further herein.
- The
user equipment - The communication systems have developed such that services may be provided for the user equipment by means of various functions of the network that are handled by network entities known as servers. For example, in the current third generation (3G) wireless multimedia network architectures it is assumed that several different servers are used for handling different functions. These include functions such as the call session control functions (CSCFs). The call session control functions may be divided into various categories such as a proxy call session control function (P-CSCF)35 and 39, interrogating call session control function (I-CSCF)37, and serving call session control function (S-CSCF) 36 and 38. A user who wishes to use services provided by an application server via the IMS system may need to register with a serving control entity. The serving call session control function (S-CSCF) may form in the 3G IMS arrangements the entity a users needs to be registered with in order to be able to request for a service from the communication system. The CSCFs may define an IMS network of a UMTS system.
- It shall be appreciated that similar function may be referred to in different systems with different names. For example, in certain applications the CSCFs may be referenced to as the call state control functions.
- Communication systems may be arranged such that a user who has been provided with required communication resources by the backbone network has to initiate the use of services by sending a request for the desired service over the communication system. For example, a user may request for a session, transaction or other type of communications from an appropriate network entity.
- In one embodiment of the present invention, there is a database at the S-CSCF of the home network of the calling party which lists all the known IMS network domain names and IP addresses the home network trusts.
- A database containing the domain name of the IMS networks and the corresponding IP addresses of the I-CSCFs has to be maintained in a SIP level database. As SIP requests may contain either domain names or IP addresses in the Request (R)-universal resource indicator. It is not enough to store the domain names into the database. The calling party thus can check if the called party is in a trusted or untrusted network by seeing in the domain name or IP address associated with the called party are in the database.
- It is however possible in an alternative embodiment of the invention to make reverse DNS domain name server queries whenever an IP address is received instead of a domain name in the R-URI. Thus, the following simplified solution is also possible which will be described with reference to
Figure 2 : - In step S1 it is determined in the request contains a domain name.
- If so the next step is step S2 where it is checked to see if the domain is in the database. If so the next hop is considered a trusted domain and the corresponding procedures are applied (step S3). If the domain is not in the database, then consider the next hop an untrusted domain, and apply the corresponding procedures -step S4.
- If the called party is an untrusted party, the message may be discarded or alternatively modified. If the message is modified, information identifying the calling party will be removed. This information may be the P-Asserted header. This will be done if the calling party has requested privacy, ie that their identity be kept private.
- If the request does not contain the domain name it is determined if a request with an IP address in R-URI is received - step S5. Step S5 and S1 may be combined in a single step. If the request contains an IP address then a then a reverse DNS query is made to find out the corresponding domain - step 6. That is a request is sent ot the Domain name server for the name of the domain associated with the IP address. The next step will then be step S2 with the checking of the database.
- In a further embodiment of the invention, a database is kept only at the S-CSCF of the home network which lists there all the known IMS network domain names the home network trusts.
- If the R-URI contains an IP address instead of a domain name (and thus can not be checked in the database), then it is simply assumed that the next hop is an untrusted domain.
- In a still further embodiment of the invention, the NDS network domain security is configured in the security gateways (SPD) in such a way, that an IP packet coming from a CSCF of the domain the gateway is part of, would be sent over a secure connection. If a secure connection towards the destination does not exists, the packet is simply discarded and an ICMP Internet control message protocol message generated. The ICMP is an Internet protocol which delivers error and control messages between a gateway or a destination host and the source host about IP datagram processing. ICMP can for example report an error in the IP datagram processing. ICMP is usually part of the IP protocol. Thus, the home network always assumes the next hop is trusted and does not remove the P-Asserted-Identity. If it happens that the next hop is not trusted, then the packet is discarded, and does not reach the called party.
- The consequence of this solution is, that CSCF will only be able to communicate with SIP entities belonging to a trusted domain.
- Reference is made to Third Generation Partnership Project specification number TS33.210 version 3.3.0. The document describes a network domain security architecture outline. Reference is made to
Figure 3 which shows this architecture to which embodiments of the present invention can be applied. - An explanation will firstly be given regarding the Za and Zb interfaces that can exist between networks and within networks respectively. This explanation is taken from the 3GPP TS 33.210 V6.0.0 (2002-12) Technical Specification, Release 6.
Figure 3 shows two security domains and the Za and Zb interfaces between entities of these domains. - The interfaces are defined for protection of native IP based protocols:
- The Za-interface covers all NDS/IP (Network Domain Security/Internet Protocol) traffic between security domains. The SEGs (Security Gateways) use IKE (Internet Key Exchange) to negotiate, establish and maintain a secure ESP (Encapsulating Security Payload) tunnel between them. Subject to roaming agreements, the inter-SEG tunnels would normally be available at all times, but they can also be established as needed. ESP shall be used with both encryption and authentication/integrity, but an authentication/integrity only mode is allowed. The tunnel is subsequently used for forwarding NDS/IP traffic between security domain A and security domain B.
- One SEG can be dedicated to only serve a certain subset of all roaming partners. This will limit the number of SAs and tunnels that need to be maintained.
- All security domains compliant with this specification shall operate the Za-interface.
- The Zb-interface is located between SEGs and NEs and between NEs within the same security domain. The Zb-interface is optional for implementation. If implemented, it shall implement ESP+IKE.
- On the Zb-interface, ESP shall always be used with authentication/integrity protection. The use of encryption is optional. The ESP Security Association shall be used for all control plane traffic that needs security protection.
- Whether the Security Association is established when needed or a priori is for the security domain operator to decide. The Security Association is subsequently used for exchange of NDS/IP traffic between the NEs.
- The security policy established over the Za-interface is subject to roaming agreements. This differs from the security policy enforced over the Zb-interface, which is unilaterally decided by the security domain operator.
- The basic idea to the NDS/IP architecture is to provide hop-by-hop security. This is in accordance with the chained-tunnels or hub-and-spoke models of operation. The use of hop-by-hop security also makes it easy to operate separate security policies internally and towards other external security domains.
- In NDS/IP only the Security Gateways (SEGs) shall engage in direct communication with entities in other security domains for NDS/IP traffic. The SEGs will then establish and maintain IPsec secured ESP Security Association in tunnel mode between security domains. SEGs will normally maintain at least one IPsec tunnel available at all times to a particular peer SEG. The SEG will maintain logically separate SAD and SPD databases for each interface.
- The NEs may be able to establish and maintain ESP Security Associations as needed towards a SEG or other NEs within the same security domain. All NDS/IP traffic from a NE in one security domain towards a NE in a different security domain will be routed via a SEG and will be afforded hop-by-hop security protection towards the final destination.
- Operators may decide to establish only one ESP Security Association between two communicating security domains. This would make for coarse-grained security granularity. The benefits to this is that it gives a certain amount of protection against traffic flow analysis while the drawback is that one will not be able to differentiate the security protection given between the communicating entities. This does not preclude negotiation of finer grained security granularity at the discretion of the communicating entities.
- In embodiments of the invention, the SEG of the calling party will determine if the packet for the called party is to be sent over a secure connection to the SEG of the called party. If there is no secure connection the packet is discarded. If there is a secure connection the packet is sent.
- In one modification, if there is no secure connection, the SEG of the calling party will remove the identity information from the message, that is the P-Asserted header. The modified message is then sent to the called party.
- In embodiments of the invention, P-asserted header information is removed from the packet. In alternative embodiments of the invention which do not have the P-Asserted information, identification information relating to the identity of the calling party will be removed.
- The database is described as storing the identity of trusted parties only. In one modification it could store only the identity of untrusted parties or both the untrusted and trusted parties along with information indicating if they are trusted or not.
- It should be appreciated that the description of one embodiment where there is a GPRS system is by way of example only and other systems may be used in alternative embodiments of the invention.
- It should be appreciated that while embodiments of the invention have been described in relation to user equipment such as mobile stations, embodiments of the invention are applicable to any other suitable type of user equipment.
- The examples of the invention have been described in the context of an IMS system and GPRS networks. This invention is also applicable to any other access techniques. Furthermore, the given examples are described in the context of SIP networks with SIP capable entities. This invention is also applicable to any other appropriate communication systems, either wireless or fixed line systems and standards and protocols.
- The embodiments of the invention have been discussed in the context of call state control functions. Embodiments of the invention can be applicable to other network elements where applicable.
- It is also noted herein that while the above describes exemplifying embodiments of the invention, there are several variations and modifications which may be made to the disclosed solution without departing from the scope of the invention as defined in the appended claims.
Claims (25)
- A method comprising:determining in a first network (32) an address associated with a called party in a second network; characterised bydetermining based on said address if said called party (44) is in a trusted network; andcontrolling communication between the called party (44) and a calling party (30) in the first network (32) in dependence on if it is determined that said called party (44) is in a trusted network, wherein if the called party (44) is not in a trusted network, at least one message for the called party is modified.
- A method as claimed in claim 1, wherein the address is contained in a message for said called party (44).
- A method as claimed in claim 2, wherein the message is in packet form.
- A method as claimed in any preceding claim, wherein the determining if the called party (44) is in a trusted network step comprises checking (32) if the address is contained in a database of trusted networks.
- A method as claimed in claim 4, wherein said database is in said first network (32).
- A method as claimed in claim 4 or 5, wherein the database is provided in a CSCF or security gateway.
- A method as claimed in any of claims 4 to 7, wherein said database comprises the domain names associated with trusted networks.
- A method as claimed in claim 7, wherein said database further comprises the IP addresses of trusted networks.
- A method as claimed in any preceding claim, wherein said determining an address comprises determining if the address contains a domain name.
- A method as claimed in claim 8 or 9, wherein if it is determined that the address does not contain a domain name, a request is sent for the domain name.
- A method as claimed in claim 10, wherein said request is sent to a domain name server.
- A method as claimed in claim 9, wherein if it is determined that the address does not contain a domain name, it is assumed (54) that the called party (44) is in an untrusted network.
- A method as claimed in claim 12, wherein said at least one message for the called party (44) is modified by removing identity information relating to said calling party (30).
- A method as claimed in claim13, wherein said identity information is a P-Asserted-Identity header.
- A method as claimed in any preceding claim, wherein said first and second network (32,41) operate in accordance with SIP.
- A method as claimed in any preceding claim, wherein the determining if the called party is in a trusted network comprises determining if a connection from the first network (30) to the second network (44) is secured.
- A method as claimed in claim 16, wherein the determining if the called party (44) is in a trusted network is carried out in a gateway of the first network.
- A method as claimed in claim 17, wherein the determining if the called party (44) is in a trusted network comprises determining in the gateway of the first network (32) if a connection between the gateway of the first network (32) and a gateway of the second network (41) is a secure connection.
- A method as claimed in any one of claims 16 to 18, wherein the first network is a first domain.
- A method as claimed in any one of claims 16 to 19, wherein the second network is a second domain.
- A first network (32) comprising:determining means for determining an address associated with a called party (44) in a second network (41); characterised by further comprising:determining means for determining based on said address if said called party (44) is in a trusted network; andcontrol means for controlling the communication between the called party (44) and a calling party (30) in the first network (32) in dependence on if it is determined that said called party (44) is in a trusted network wherein if the called party (44) is not in a trusted network, at least one message for the called party is modified.
- A communications system comprising a first network (32) as claimed in claim 21 and a second network (41) having a called party (44).
- A first network as claimed in claim 21, wherein the determining means comprises means for determining if a connection from the first network (30) to the second network (44) is secured.
- A first network as claimed in one of claims 21 and 23, wherein the determining means is in a gateway of the first network.
- A first network as claimed in claim 24, wherein the determining means comprises means for determining if a connection between the gateway of the first network (32) and a gateway of the second network (41) is a secure connection.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GBGB0322891.3A GB0322891D0 (en) | 2003-09-30 | 2003-09-30 | Communication method |
PCT/IB2004/003130 WO2005034472A1 (en) | 2003-09-30 | 2004-09-27 | Method and system for providing a secure communication between communication networks |
Publications (2)
Publication Number | Publication Date |
---|---|
EP1668862A1 EP1668862A1 (en) | 2006-06-14 |
EP1668862B1 true EP1668862B1 (en) | 2011-09-21 |
Family
ID=29287136
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP04769484A Expired - Lifetime EP1668862B1 (en) | 2003-09-30 | 2004-09-27 | Method and system for providing a secure communication between communication networks |
Country Status (10)
Country | Link |
---|---|
US (1) | US7843948B2 (en) |
EP (1) | EP1668862B1 (en) |
JP (2) | JP2007507956A (en) |
KR (1) | KR100928247B1 (en) |
CN (1) | CN100571258C (en) |
AT (1) | ATE525840T1 (en) |
AU (1) | AU2004306243B2 (en) |
GB (1) | GB0322891D0 (en) |
HK (1) | HK1098269A1 (en) |
WO (1) | WO2005034472A1 (en) |
Families Citing this family (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP4074266B2 (en) * | 2004-05-26 | 2008-04-09 | 株式会社東芝 | Packet filtering device and packet filtering program |
US7984149B1 (en) * | 2004-08-04 | 2011-07-19 | Cisco Technology, Inc. | Method and apparatus for identifying a policy server |
US7609700B1 (en) * | 2005-03-11 | 2009-10-27 | At&T Mobility Ii Llc | QoS channels for multimedia services on a general purpose operating system platform using data cards |
US7742463B2 (en) * | 2005-08-18 | 2010-06-22 | Hong Kong Applied Science And Technology Research Institute Co., Ltd. | Security gatekeeper for a packetized voice communication network |
KR100644220B1 (en) | 2005-08-29 | 2006-11-10 | 삼성전자주식회사 | Apparatus and method for hiding through path using session initiation protocol |
US8213408B1 (en) * | 2005-09-16 | 2012-07-03 | Genband Us Llc | Providing security in a multimedia network |
GB2432748A (en) | 2005-11-25 | 2007-05-30 | Ericsson Telefon Ab L M | SIP messaging in an IP Multimedia Subsystem wherein a local user identity is added to message header as a basis for application server processing |
WO2007093079A1 (en) * | 2006-02-16 | 2007-08-23 | Zte Corporation | Implementation method of crossdomain multi-gatekeeper packet network key negotiation security policy |
US8561127B1 (en) * | 2006-03-01 | 2013-10-15 | Adobe Systems Incorporated | Classification of security sensitive information and application of customizable security policies |
US20090003249A1 (en) * | 2007-06-27 | 2009-01-01 | Microsoft Corporation | Determination and Display of Endpoint Identities |
JP5496907B2 (en) * | 2007-11-30 | 2014-05-21 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | Key management for secure communication |
EP2091192A1 (en) * | 2008-02-15 | 2009-08-19 | Nokia Siemens Networks Oy | Interworking between messaging service domains |
US20100175122A1 (en) * | 2009-01-08 | 2010-07-08 | Verizon Corporate Resources Group Llc | System and method for preventing header spoofing |
KR101333164B1 (en) * | 2009-04-13 | 2013-11-27 | 블랙베리 리미티드 | System and method for determining trust for sip messages |
US8948057B2 (en) * | 2009-12-15 | 2015-02-03 | At&T Intellectual Property I, L.P. | Securing uniform resource identifier information for multimedia calls |
JP6081886B2 (en) * | 2013-08-07 | 2017-02-15 | 日本電信電話株式会社 | Subscriber data providing method and subscriber data providing apparatus |
US10110732B2 (en) * | 2015-10-22 | 2018-10-23 | Comcast Cable Communications, Llc | Caller number identification |
DK3756326T3 (en) * | 2018-02-19 | 2021-09-06 | Ericsson Telefon Ab L M | Security Negotiation in Service-Based Architectures (SBA) |
JP6845824B2 (en) * | 2018-03-26 | 2021-03-24 | 株式会社バンダイ | Directing output toys |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6483912B1 (en) * | 1998-08-04 | 2002-11-19 | At&T Corp. | Method for allocating network resources |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5204961A (en) | 1990-06-25 | 1993-04-20 | Digital Equipment Corporation | Computer network operating with multilevel hierarchical security with selectable common trust realms and corresponding security protocols |
US5802320A (en) | 1995-05-18 | 1998-09-01 | Sun Microsystems, Inc. | System for packet filtering of data packets at a computer network interface |
JPH09130428A (en) * | 1995-09-01 | 1997-05-16 | Fujitsu Ltd | Data transmission restricting device |
DE69734179T2 (en) | 1996-07-15 | 2006-06-29 | At & T Corp. | Method and device for limiting access to private information in domain name systems by means of information filtering |
US6711147B1 (en) * | 1999-04-01 | 2004-03-23 | Nortel Networks Limited | Merged packet service and mobile internet protocol |
US6738908B1 (en) * | 1999-05-06 | 2004-05-18 | Watchguard Technologies, Inc. | Generalized network security policy templates for implementing similar network security policies across multiple networks |
US6321267B1 (en) * | 1999-11-23 | 2001-11-20 | Escom Corporation | Method and apparatus for filtering junk email |
US7069432B1 (en) * | 2000-01-04 | 2006-06-27 | Cisco Technology, Inc. | System and method for providing security in a telecommunication network |
JP3749129B2 (en) | 2001-02-01 | 2006-02-22 | 株式会社東芝 | E-mail system, e-mail transmission control method, and relay apparatus |
US6956935B2 (en) * | 2001-12-17 | 2005-10-18 | International Business Machines Corporation | Origin device billing according to caller |
GB0227049D0 (en) * | 2002-11-20 | 2002-12-24 | Bae Sys Defence Sys Ltd | Management of network security domains |
US20040111642A1 (en) * | 2002-12-05 | 2004-06-10 | Amir Peles | Content security by network switch |
-
2003
- 2003-09-30 GB GBGB0322891.3A patent/GB0322891D0/en not_active Ceased
-
2004
- 2004-03-31 US US10/813,402 patent/US7843948B2/en active Active
- 2004-09-27 EP EP04769484A patent/EP1668862B1/en not_active Expired - Lifetime
- 2004-09-27 WO PCT/IB2004/003130 patent/WO2005034472A1/en active Application Filing
- 2004-09-27 JP JP2006530733A patent/JP2007507956A/en not_active Withdrawn
- 2004-09-27 AU AU2004306243A patent/AU2004306243B2/en active Active
- 2004-09-27 KR KR1020067006110A patent/KR100928247B1/en active IP Right Grant
- 2004-09-27 AT AT04769484T patent/ATE525840T1/en not_active IP Right Cessation
- 2004-09-27 CN CNB2004800313886A patent/CN100571258C/en not_active Expired - Lifetime
-
2007
- 2007-05-25 HK HK07105515.8A patent/HK1098269A1/en unknown
-
2009
- 2009-05-29 JP JP2009131332A patent/JP2009284492A/en active Pending
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6483912B1 (en) * | 1998-08-04 | 2002-11-19 | At&T Corp. | Method for allocating network resources |
Also Published As
Publication number | Publication date |
---|---|
JP2009284492A (en) | 2009-12-03 |
WO2005034472A1 (en) | 2005-04-14 |
EP1668862A1 (en) | 2006-06-14 |
AU2004306243A1 (en) | 2005-04-14 |
ATE525840T1 (en) | 2011-10-15 |
GB0322891D0 (en) | 2003-10-29 |
JP2007507956A (en) | 2007-03-29 |
HK1098269A1 (en) | 2007-07-13 |
KR100928247B1 (en) | 2009-11-24 |
CN100571258C (en) | 2009-12-16 |
US7843948B2 (en) | 2010-11-30 |
KR20060060045A (en) | 2006-06-02 |
AU2004306243B2 (en) | 2010-03-18 |
US20050068935A1 (en) | 2005-03-31 |
CN1871834A (en) | 2006-11-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP1668862B1 (en) | Method and system for providing a secure communication between communication networks | |
US9967348B2 (en) | Methods and apparatus for providing session policy during a registration of a device | |
US8929360B2 (en) | Systems, methods, media, and means for hiding network topology | |
EP1844594B1 (en) | Method and apparatuses for transmission of user identities in an ip multimedia subsystem | |
US7697471B2 (en) | Address translation in a communication system | |
US7941547B2 (en) | Policy information in multiple PDFs | |
EP1994707B1 (en) | Access control in a communication network | |
US7620808B2 (en) | Security of a communication system | |
KR20050099543A (en) | Mobile network having ip multimedia subsystem (ims) entities and solutions for providing simplification of operations and compatibility between different ims entities | |
WO2004012419A1 (en) | Packet filter provisioning | |
EP2273752B1 (en) | Controlling data sessions in a communication system | |
EP1595418B1 (en) | A communication system | |
Garcia-Martin | Input 3rd-generation partnership project (3GPP) release 5 requirements on the session initiation protocol (SIP) | |
Garcia-Martin | Rfc 4083: Input 3rd-generation partnership project (3gpp) release 5 requirements on the session initiation protocol (sip) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20060321 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR |
|
17Q | First examination report despatched |
Effective date: 20061201 |
|
DAX | Request for extension of the european patent (deleted) | ||
RIN1 | Information on inventor provided before grant (corrected) |
Inventor name: NIEMI, VALTTERI Inventor name: NIEMI, AKI Inventor name: BAJKO, GABOR |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LI LU MC NL PL PT RO SE SI SK TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R081 Ref document number: 602004034462 Country of ref document: DE Owner name: NOKIA TECHNOLOGIES OY, FI Free format text: FORMER OWNER: NOKIA CORP., 02610 ESPOO, FI |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: T3 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 602004034462 Country of ref document: DE Effective date: 20111117 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20111222 Ref country code: AT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: MK05 Ref document number: 525840 Country of ref document: AT Kind code of ref document: T Effective date: 20110921 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20110930 Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: MM4A |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20110927 Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20110930 Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20110930 |
|
26N | No opposition filed |
Effective date: 20120622 |
|
GBPC | Gb: european patent ceased through non-payment of renewal fee |
Effective date: 20111221 |
|
REG | Reference to a national code |
Ref country code: FR Ref legal event code: ST Effective date: 20120817 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 602004034462 Country of ref document: DE Effective date: 20120622 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: GB Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20111221 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20120101 Ref country code: FR Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20111121 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20110927 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20111221 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: HU Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20110921 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R081 Ref document number: 602004034462 Country of ref document: DE Owner name: NOKIA TECHNOLOGIES OY, FI Free format text: FORMER OWNER: NOKIA CORPORATION, ESPOO, FI Ref country code: DE Ref legal event code: R081 Ref document number: 602004034462 Country of ref document: DE Owner name: NOKIA TECHNOLOGIES OY, FI Free format text: FORMER OWNER: NOKIA CORPORATION, 02610 ESPOO, FI |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: PD Owner name: NOKIA TECHNOLOGIES OY; FI Free format text: DETAILS ASSIGNMENT: VERANDERING VAN EIGENAAR(S), OVERDRACHT; FORMER OWNER NAME: NOKIA CORPORATION Effective date: 20151111 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R079 Ref document number: 602004034462 Country of ref document: DE Free format text: PREVIOUS MAIN CLASS: H04L0029060000 Ipc: H04L0065000000 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: NL Payment date: 20230816 Year of fee payment: 20 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: DE Payment date: 20230802 Year of fee payment: 20 |